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\^ ' Abstract 

In this paper we give a polynomial-time quantum algorithm for computing orders of solvable 
^SJ ' groups. Several other problems, such as testing membership in solvable groups, testing equality 

I of subgroups in a given solvable group, and testing normality of a subgroup in a given solvable 

group, reduce to computing orders of solvable groups and therefore admit polynomial-time 
quantum algorithms as well. Our algorithm works in the setting of black-box groups, wherein 
none of these problems can be computed classically in polynomial time. As an important 
byproduct, our algorithm is able to produce a pure quantum state that is uniform over the 
' elements in any chosen subgroup of a solvable group, which yields a natural way to apply 

I existing quantum algorithms to factor groups of solvable groups. 
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The focus of this paper is on quantum algorithms for group-theoretic problems. Specifically we 



_ 1 Introduction 

^ , 

qh, consider finite solvable groups, and give a polynomial-time quantum algorithm for computing or- 

ders of solvable groups. Naturally this algorithm yields polynomial-time quantum algorithms for 
testing membership in solvable groups and several other related problems that reduce to comput- 
ing orders of solvable groups. Our algorithm is also able to produce a uniform pure state over 
the elements in any chosen subgroup of a solvable groups, which yields a natural way of apply- 
ing certain quantum algorithms to factor groups of solvable groups. For instance, we describe a 
method by which existing quantum algorithms for abelian groups may be applied to abelian factor 
groups of solvable groups, despite the fact that the factor groups generally do not satisfy an impor- 
tant requirement of the existing quantum algorithms — namely, that elements have unique, succinct 
classical representations. 

We will be working within the context of black-box groups, wherein elements are uniquely en- 
coded by strings of some given length n and the group operations are performed by a black-box (or 
group oracle) at unit cost. Black-box groups were introduced by Babai and Szemeredi |^ in 1984 
and have since been studied extensively [Q, ^, ^, Any efficient algorithm that works in the 
context of black-box groups of course remains efficient whenever the group oracle can be replaced 
by an efficient procedure for computing the group operations. In the black-box group setting it is 
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provably impossible to compute order classically in polynomial time, even in the more restricted 
case that groups in question are abelian ||7|. 

Essentially all previously identified problems for which quantum algorithms offer exponential 
speed-up over the best known classical algorithms can be stated as problems regarding abelian 
groups. In 1994, Shor |31] presented polynomial time quantum algorithms for integer factoring and 
computing discrete logarithms, and these algorithms generalize in a natural way to the setting of 
finite groups. Specifically, given elements g and h in some finite group G it is possible, in quantum 
polynomial time, to find the smallest positive integer k such that h = = g ■ g ■ ■ ■ g {k times), 
provided there exists such a k. In case h is the identity one obtains the order of g, to which there is 
a randomized polynomial-time reduction from factoring when the group is the multiplicative group 
of integers modulo the integer n to be factored. It should be noted that while the group G need not 
necessarily be abelian for these algorithms to work, we may view the algorithms as taking place in 
the abelian group generated by g. 

Shor's algorithms for integer factoring and discrete logarithms were subsequently cast in a 
different group-theoretic framework by Kitaev |25, 26 1. This framework involves a problem called 
the Abelian Stabilizer Problem, which may be informally stated as follows. Let k and n be positive 
integers, and consider some group action of the additive abelian group Z'^ on a set X C S", 
where the group action can be computed efficiently. The problem, which can be solved in quantum 
polynomial time, is to compute a basis (in Z^) of the stabilizer (Z'^)^ of a given x X. Appropriate 
choice of the group action allows one to solve order finding and discrete logarithms for any finite 
group as above. In this case, the group G in question corresponds to the set X (meaning that 
elements of X are unique representations of elements of G), and the group action of Z*^ on X 
depends on the group structure of G. 

Kitaev's approach was further generalized by Brassard and Il0yer who formulated the 
Hidden Subgroup Problem. (See also Il0yer |Q and Mosca and Ekert |2^.) The Hidden Subgroup 
Problem may be informally stated as follows. Given a finitely generated group G and an efficiently 
computable function / from G to some finite set X such that / is constant and distinct on left-cosets 
of a subgroup H of finite index, find a generating set for H. Mosca and Ekert showed that Deutsch's 



Problem [15|, Simon's Problem [^], order finding and computing discrete logarithms |3^, finding 
hidden linear functions testing self-shift-equivalence of polynomials [0], and the Abelian 



Stabilizer Problem |25, |2^ can all be solved in polynomial time within the framework of the 



Hidden Subgroup Problem. In the black-box group setting, the Hidden Subgroup Problem can be 
solved in quantum polynomial time whenever G is abelian, as demonstrated by Mosca |27]. Mosca 
also proved that several other interesting group-theoretic problems regarding abelian black-box 
groups can be reduced to the Hidden Subgroup Problem, and thus can be computed in quantum 
polynomial time as well. For instance, given a collection of generators for a finite abelian black-box 
group, one can find the order of the group, and in fact one can decompose the group into a direct 
product of cyclic subgroups of prime power order, in polynomial time.Q (See also Cheung and 
Mosca [12 1 for further details.) 

The Hidden Subgroup Problem has been considered in the non-abelian case, although with 
limited success (see, for instance, Ettinger and H0yer |16], Ettinger, H0yer, and Knill [17|, Rotteler 

^ This is particularly interesting from the standpoint of algebraic number theory since, assuming the Generalized 
Riemann Hypothesis, it follows that there is a polynomial-time quantum algorithm for computing class numbers 
of quadratic number fields. As there exists a reduction from factoring to the problem of computing class numbers 
for quadratic number fields — again assuming the Generalized Riemann Hypothesis — while no reduction in the other 
direction is known, the problem of computing class numbers is often considered as a candidate for a problem harder 
than integer factoring. See Cohen for further information about computing in class groups. 
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and Beth |^^, and Hallgren, Russell, and Ta-Shma pT|). No polynomial-time algorithm for the 
Hidden Subgroup Problem is known for any class of non-abelian groups except for a special class 
of groups based on wreath products considered by Rotteler and Beth. The Non-abelian Hidden 
Subgroup Problem is of particular interest as it relates to the Graph Isomorphism Problem; Graph 
Isomorphism reduces to a special case of the Hidden Subgroup Problem in which the groups in 
question are the symmetric groups. Beals Q has shown that quantum analogues of Fourier trans- 
forms over symmetric groups can be performed in polynomial time, although thus far this has not 
proven to be helpful for solving the Graph Isomorphism Problem. 

In this paper we move away from the Hidden Subgroup Problem and consider other group- 
theoretic problems for non-abelian groups — in particular we consider solvable groups. Our main 
algorithm finds the order of a given solvable group and, as an important byproduct, produces a 
quantum state that approximates a uniform superposition over the elements of the given group. 

Theorem 1 There exists a quantum algorithm operating as follows ( relative to an arbitrary group 
oracle). Given generators gi,... ,gk such that G = {gi,... ,gi.) is solvable, the algorithm outputs 
the order of G with probability of error bounded by e in time polynomial in n + log(l/e) (where n is 
the length of the strings representing the generators). Moreover, the algorithm produces a quantum 
state p that approximates the pure state \G) = \G\~^^'^ ^geG Id) accuracy e (in the trace norm 
metric). 

Several other problems reduce to the problem of computing orders of solvable groups, including 
membership testing in solvable groups, testing equality of subgroups in a given solvable group, and 
testing that a given subgroup of some solvable group is normal. Thus, these problems can be solved 
in quantum polynomial time as well. 

Since any subgroup of a solvable group is solvable, our algorithm can be applied to any subgroup 
H of a solvable group G in order to obtain a close approximation to the state \H). The main 
application of being able to efficiently prepare uniform superpositions over subgroups of solvable 
groups is that it gives us a simple way to apply existing quantum algorithms for abelian groups 
to abelian factor groups of solvable groups, despite the fact that we do not have unique classical 
representations for elements in these factor groups. This method discussed further in Section ^. 

Arvind and Vinodchandran Q have shown that several problems regarding solvable groups, 
including membership testing and order verification, are low for the complexity class PP, which 
means that an oracle for these problems is useless for PP computations. Fortnow and Rogers |ll8| 
proved that any problem in BQP is low for PP, and thus we have obtained an alternate proof 
that membership testing and order verification for solvable groups are both low for PP. It is left 
open whether some of the other problems proved low for PP by Arvind and Vinodchandran have 
polynomial-time quantum algorithms. An interesting example of such a problem is testing whether 
two solvable groups have a nontrivial intersection. 

The remainder of this paper has the following organization. In Section ^ we review necessary 
background information for this paper, including a discussion of black-box groups in the context of 
quantum circuits and other information regarding computational group theory. Section ^ describes 
our quantum algorithm for finding the order of a solvable group as stated in Theorem |l], and 
Section ^ discusses other problems that can be solved by adapting this algorithm. We conclude 
with Section ^, which mentions some open problems relating to this paper. 
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Correction to earlier version 



In an earlier version of this paper it was claimed that our algorithm could be used to test isomor- 
phism of two solvable groups. However, this claim was based on an incorrect assumption regarding 
solvable groups (specifically that if the corresponding factor groups in the derived series of two 
solvable groups are isomorphic, then the groups themselves are necessarily isomorphic). Thus, we 
currently do not have a polynomial-time quantum algorithm for testing isomorphism of solvable 
groups. We thank Miklos Santha for bring this error to our attention. 



2 Preliminaries 

In this section we review information regarding computational group theory that is required for the 
remainder of the paper. We assume the reader is familiar with the theory of quantum computation, 
and specifically with the quantum circuit model, so we will not review this model further except to 
discuss black-box groups in the context of quantum circuits. The reader not familiar with quantum 



circuits is referred to Nielsen and Chuang [ 29 1 . We also assume the reader is familiar with the basic 
concepts of group theory (see, for example, Isaacs p^). 

Given a group G and elements g,h £ G we define the commutator of g and h, denoted [^f, h], as 
[g,h] = g~^h~^gh, and for any two subgroups H, K < G we write [H,K] to denote the subgroup 
of G generated by all commutators [h, k] with h £ H and k £ K. The derived subgroup of G is 
G' = [G,G], and in general we write G^o) = G, G(i) = G',G(2) = (G')', • • • ,G(J) = (G^^-^))', etc. 
A group G is said to be solvable if G^'") = {1} (the group consisting of just one element) for some 
value of m. Every abelian group is solvable, since G(i) = {1} in this case, but it is not necessarily 
the case that a given solvable group is abelian (for example, ^3, the symmetric group on 3 symbols, 
is solvable but not abelian). On the other hand many groups are not solvable (for example, 5„ is 
not solvable whenever n > 5). An equivalent way to define what it means for a (finite) group to 
be solvable is as follows. A finite group G is solvable if there exist elements gi, ■ ■ ■ ,gm £ G such 
that if we define Hj = {gi, . . . ,gj) for each j, then {1} = Hq < Hi <!•••< Hm = G. Note that 
H j j^i/ Hj is necessarily cyclic in this case for each j. Given an arbitrary collection of generators for 
a solvable group G, a polynomial-length sequence 51, . . . , gm as above can be found via a (classical) 
Monte Carlo algorithm in polynomial time Q (discussed in more detail below). It is important to 
note that we allow the possibility that Hj = -ffj+i for some values of j in reference to this claim. 

We will be working in the general context of black-box groups, which we now discuss. In a 
black-box group, each elements is uniquely encoded by some binary string, and we have at our 
disposal a black-box (or group oracle) that performs the group operations on these encodings at 
unit cost. For a given black-box group, all of the encodings are of a fixed length n, which is the 
encoding length. Thus, a black-box group with encoding length n has order bounded above by 
2". Note that not every binary string of length n necessarily corresponds to a group element, 
and we may imagine that our group oracle has some arbitrary behavior given invalid encodings. 
(Our algorithms will never query the oracle for invalid group element encodings given valid input 
elements) . When we say that a particular group or subgroup is given (to some algorithm) , we mean 
that a set of strings that generate the group or subgroup is given. Note that every subgroup of a 
black-box group with encoding length n has a length Dip?) description. 

Since we will be working with quantum circuits, we must describe black-box groups in this 
setting. Corresponding to a given black-box group G with encoding length n is a quantum gate 
Ug acting on 2n qubits as follows: UG\g)\h) = \g)\gh). Here we assume g and h are valid group 
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elements — in case any invalid encoding is given, Ug may act in any arbitrary way so long as is 
remains reversible. The inverse of Uq acts as follows: UQ^\g)\h) = \g)\g~'^h). When we say that 
a quantum circuit has access to a group oracle for G, we mean that the circuit may include the 
gates Ug and Uq^ for some Ug as just described. More generally, when we are discussing uniformly 
generated families of quantum circuits, a group oracle corresponds to an infinite sequence of black- 
box groups Gi, G2, . . . (one for each encoding length), and we allow each circuit in the uniformly 
generated family to include gates of the form Ug^ and Uq^ for the appropriate value of n. 



As noted by Mosca ||27|, the gates Ug and Uq above can be approximated efficiently if we 
have a single gate Vg acting as follows on 3n qubits: VG\g)\h)\x) = \g)\h)\x (B gh), again where we 
assume g and h are valid group elements (and x is arbitrary). Here, x ® gh denotes the bitwise 
exclusive or of the string x and the string encoding the group element gh. This claim follows from 
the fact that given the gate V^, we may find the order of any element g using Shor's algorithm, from 
which we may find the inverse of g. Once we have this, techniques in reversible computation due to 
Bennett Q allow for straightforward simulation of Ug and Uq^. Since it is simpler to work directly 
with the gates Ug and Uq^ , however, we will assume that these are the gates made available for a 
given black-box group. 

Now we return to the topic of solvable groups, and review some known facts about solvable 
groups in the context of black-box groups. First, with respect to any given group oracle, if we are 
given generators 51, . . . , (7m of encoding length n, it is possible to test whether G = (51, . . . , g^) is 
solvable via a polynomial time (in nm) Monte Carlo algorithm |p. Moreover, the same algorithm 
can be used to construct (with high probability) generators g^^^ , . . . ,g^^\ for j = 0, . . . , n and where 
k = 0{n), such that G^^^ = {gi \ ■ ■ ■ (so that testing solvability can be done by verifying that 

g^\ . . . ,gl^^ are each the identity element). At this point we notice (under the assumption that 
G is solvable) that by relabeling the elements 

(n-l) (n-1) (n-2) (n-2) (0) (0) 

as hi, . . . , hkn (in the order given) we have the following. If Hj = {hi, ... ,hj) for j = 0, . . . , kn, 
then {1} = Hq < Hi < ■ ■ ■ < Hkn = G. This follows from the fact that G^-^^ o G'^-'^^^ for each j, and 
further that G^^^^^ /G^^^ is necessarily abelian. The fact that each factor group Hj/Hj^i is cyclic 
will be important for our quantum algorithm in the next section. 

The problem of computing the order of a group cannot be solved classically in polynomial time 
in the black-box setting even for abelian (and therefore for solvable) groups [R]. 



3 Finding the orders of solvable groups 

In this section we describe our quantum algorithm for finding the order of a given solvable black-box 
group G and preparing a uniform superposition over the elements of G. 

We assume we have elements gi, ■ ■ ■ ,gm £ G such that if we define Hj = {gi, . . . , gj ) for each 
j, then {1} = Hq < Hi < ■ ■ ■ < Hm = G. Note that we allow the possibility that Hj = -f/j+i for 
some values of j. The existence of such a chain is equivalent to the solvability of G, and given an 
arbitrary collection of generators of G such a sequence can be found via a Monte Carlo algorithm 
in polynomial time as discussed in the previous section. Calculation of the orders of the factor 
groups in this chain reveals the order of G; if 

n = \Hi/Ho\, r2 = \H2/Hi\, . . . , rm = \Hm/Hm-i\, (1) 
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then|G|=n7=i^r 

The calculation of the orders of the factor groups is based on the following idea. Suppose we 
have several copies of the state \H) for some subgroup H of G, where \H) denotes the state that is 
a uniform superposition over the elements of H: 

Vl^l heH 

Then using a simple modification of Shor's order finding algorithm we may find the order of g with 
respect to H, which is the smallest positive integer r such that g"^ G H, for any g £ G. In case 
H = {gi, . . . ,gj-i) and g = gj for some j, this order is precisely Vj = \Hj / Hj-i\. 

Since this requires that we have several copies of \Hj^i) in order to compute each rj, we must 
demonstrate how the state \Hj-i) may be efficiently constructed. In fact, the construction of the 
states \Hq), \Hi), ... is done in conjunction with the computation of ri,r2, . . . ; in order to prepare 
several copies of \Hj) it will be necessary to compute rj, and in turn these copies of \Hj) are 
used to compute r^+i. This continues up the chain until has been computed and \Hm) has 
been prepared. More specifically, we will begin with a large (polynomial) number of copies of \Hq) 
(which are of course trivial to prepare), use some relatively small number of these states to compute 
ri, then convert the rest of the copies of \Hq) to copies of \Hi) using a procedure described below 
(which requires knowledge of ri). We continue up the chain in this fashion, for each j using a 
relatively small number of copies of \Hj^i) to compute rj, then converting the remaining copies of 
\Hj-i) to copies of \Hj). 



In subsections and we discuss the two components (computing the rj values and con- 



verting copies of \Hj^i) to copies of \Hj)) individually, and in subsection 3.3 we describe the main 
algorithm that combines the two components. The following notation will be used in these subsec- 
tions. Given a finite group G and a subgroup H of G, for each element g G G define rnig) to be 
the smallest positive integer r such that g^ € H (which we have referred to as the order of g with 
respect to H). For any positive integ Gr TTi and. k G 

we write em{k) to denote g^'^*'^/™. Finally, 

for any finite set S we write \S) = \S\'~''^/'^ ^ges Is')- 

3.1 Finding orders with respect to a subgroup 

Our method for computing the order of an element g with respect to a subgroup H (i.e., computing 
the rj values) is essentially Shor's (order finding) algorithm, except that we begin with one of 
the registers initialized to \H), and during the algorithm this register is reversibly multiplied by 
an appropriate power of g. In short, initializing one of the registers to \H) gives us an easy way 
to work over the cosets of H, the key properties being (i) that the states \g^H) and \g-' H) are 
orthogonal whenever g^ and g^ are elements in different cosets of H (and of course \g^H) = \g^ H) 
otherwise), and (ii) for Shor's algorithm we will not need to be able to recognize which coset we 
are in (or even look at the corresponding register at all) to be able to compute the order of g with 
respect to H correctly. 

Now we describe the method in more detail. However, since the analysis is almost identical 
to the analysis of Shor's algorithm, we will not discuss the analysis in detail and instead refer the 



reader to Shor |31] and to other sources in which analyses of closely related techniques are given in 



detail |5|. 



We assume we are working over a black-box group G with encoding length n, and that a 
quantum register R has been initialized to state \H) for H some subgroup of G. For given g we 
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are trying to find r = Vfj^g), which is the smallest positive integer such that g"^ E H. Let A be a 
quantum register whose basis states correspond to Zjv for to be chosen later, and assume A is 
initialized to state |0). 

Similar to Shor's algorithm, we (i) perform the quantum Fourier transform modulo (QFT^) 
on A, (ii) reversibly left-multiply the contents of R by (7", for a the number contained in A, and 
(iii) perform QFTjy on A. Multiplication by g"" can easily be done reversibly in polynomial time 
using the group oracle along with repeated squaring. The state of the pair (A, R) is now 

^ E E eN{-ab)\b)\g'^H). 

Observation of A yields some value 6 G Z^r; we will have with high probability that b/N is a good 
approximation iok/r (with respect to "modulo 1" distance), where k is randomly distributed in Z^. 
Assuming is sufficiently large, we may find relatively prime integers u and v such that u/v = k/r 
with high probability via the continued fraction method — choosing A^ = 2^"'"'"'^(^°^'^^/^)) allows us to 
determine u and v with probability 1 — e. Now, to find r, we repeat this process 0(log(l/e)) times 
and compute the least common multiple of the v values, which yields r with probability at least 
l-e. 

3.2 Creating uniform superpositions over subgroups 

Next we describe how several copies of the state \H) may be converted to several copies of the 
state \{g)H). It is assumed that g normalizes H (i.e., gH = Hg, implying that {g)H is a group 
and that H < {g)H) and further that r = rnig) = \ {g)H/H\ is known. For the main algorithm this 
corresponds to converting the copies of to copies of \Hj). We note that this is the portion 

of the algorithm that apparently requires the normal subgroup relations in (|l]), as the assumption 
that g normalizes H is essential for the method. 

Specifically, for sufficiently large /, / copies of \H) are converted to / — 1 copies of \{g)H) with 
high probability; the procedure fails to convert just one of the copies. We assume that we have 
registers Ri, ... ,Rj, each in state \H). Let Ai, . . . , A; be registers whose basis states correspond 
to Z^, and assume Ai, ... , A^ are each initialized to |0). For each i = 1, . . . , / do the following: 
(i) perform QFT,. on register Aj, (ii) (reversibly) left-multiply the contents of Rj by g"'^ where aj 
denotes the contents of Aj, and (iii) again perform QFT^ on Aj. Each pair (Aj,Rj) is now in the 
state 

7 E E eriaibi)\bi)\g''^H). 

Now, measure Ai,... ,Ai, denoting the results by 61,... ,6;. Let IV^i) denote the resulting (nor- 
malized) state of Rj for each i, i.e., 

= ^ E (iMbi)\g''^H). 

Now we hope that at least one of the values bi is relatively prime to r; this fails to happen with 
probability at most e whenever I G r2((log log r)(log 1/e)). Assuming we are in this case, choose k 
such that bk is relatively prime to r. We will use I'i/'fc) to "correct" the state in each of the remaining 
registers Rj, i / /c, by doing the following: reversibly multiply the contents of Rfc by f^^ where / 
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denotes the group element contained in Rj and c is any integer satisfying c = bib'j^^ (modr). We 
claim at this point that Rj contains the state \ {g)H) and R^ is unchanged (i.e., still contains IV'fc)). 
To see this, consider an operator Mgjf^ that multiplies the contents of R^ by g^h (for arbitrary 
h G H). As g normalizes H we have 

Mg,M = 4p E e.(afc6fc)|<7^'+"^/7) = ^ Yl ^r{{ak - j)hkW^ H) = e,(-j6fe)|V'fc), 

which shows that the state \ipk) is an eigenvector of Mgji^ with associated eigenvalue er{—jbk)- 
Thus, after performing the above multiplication, the state of the psiir (R-^? -f^fc) is 



V '^1-" I ateZr h&H 



= \{9)H)m. 

This procedure is repeated for each value of i ^ k and then R^ is discarded; this results in Z — 1 
copies of \{g)H) as desired. 

It should be noted that it is not really necessary that one of the 6, values is relatively prime to 
r, but a more complicated procedure is necessary in the more general case. Since we already have a 
polynomial-time algorithm without the more complicated procedure, we will not discuss it further. 

3.3 The main algorithm 

As above, we assume we have elements gi, ■ ■ ■ , gm ^ G such that for Hj = {gi, . . . , gj) for each j, 
we have {1} = Hq < Hi < ■ ■ ■ < Hm = G. Defining rj = rHj_iigj) = \Hj/Hj-i\ for each j we have 
|G| = rijLi '^j- Consider the algorithm in Figure ||. Here, /c is a parameter to be chosen later. 

Prepare k{m + 1) copies of the state |^^o)i where Hq = {1}. 
Do the following for j = 1, . . . ,m: 

Using k — 1 oi the copies of \Hj^i), compute rj = rHj_^{gj) (and discard these k — 1 states). 

Use one of the copies of l-f^j-i) to convert the remaining copies of |-f(j-i) to copies of \Hj). 
End of for loop. 
Output YYjLi '"i- 



Figure 1: Algorithm to compute the order of a solvable group G 

It is clear that the algorithm operates correctly assuming that each evaluation of rj is done 
without error, and that the copies of \Hj-i) are converted to copies of \Hj) without error on each 
iteration of the loop. To have that the algorithm works correctly with high probability in general, 
we must simply choose parameters so that the error in all of these steps is small. If we want the 
entire process to work with probability of error less than e, we may perform the computations of 
each of the rj values such that each computation errs with probability at most e/ (2m), and for each 
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j the copies of \Hj^i) are converted to copies of \Hj) with error at most e/(2m). Thus, choosing 
k = 0((logn)(logm/e)) suffices. In polynomial time we may therefore achieve an exponentially 
small probability of error by choosing k polynomial in n and computing the rj values with sufficient 
accuracy. 

4 Other problems 

In this section we discuss other problems regarding solvable groups that can be solved in quantum 
polynomial time with the help of our main algorithm. First we discuss membership testing and 
other problems that easily reduce to computing order. We then we discuss the general technique 
for computing over factor groups of solvable groups. 

4.1 Membership testing and simple reductions to order finding 

Suppose we are given elements gi, ■ ■ ■ ,gk and h in some black-box group with encoding length n. 
Clearly /i E (51,... ,gk) if and only if | (51 , . . . ,gk)\ = \{gi,--- ,9k, h)\. Thus, if (51 , . . . ,gk,h) is solv- 
able, then the question of whether h £ {gi, . . . , g^) can be computed in quantum polynomial time. 
Since there is a classical algorithm for testing solvability, it is really only necessary that {gi, . . . , g^) 
is solvable; if (51,... ,gk) is solvable but {gi,... ,gk,h) is not, then clearly h {gi,--- ,gk)- 

Several other problems reduce to order computation or membership testing in solvable groups. A 
few examples are testing whether a given solvable group is a subgroup of another (given gi, . . . ,gk 
and hi, ... ,hi, is it the case that {hi, . . . ,hi) < {gi, . . . ,gk)'!), testing equality of two solvable 
groups (given gi, ■ ■ ■ ,gk and hi, hi, is it the case that {gi, . . . , gk) = {hi, ... ,hi)7), and test- 
ing whether a given group is a normal subgroup of a given solvable group (given gi, ■ ■ ■ ,gk and 
hi, . . . ,hi, do we have {hi, ... , hi) < {gi, . . . , gk)'^)- To determine whether {hi, . . . , /i/) is a sub- 
group of {gi,... ,gk), we may simply test that \{hi,... ,hi,gi,... ,gk)\ = \{gi,... ,5fc)l (or we 
may test that each hj is an element of {gi,... ,gk) separately), to test equality we verify that 
{gi,--- ,gk) < {hi,... ,hi) and {hi,... ,hi) < {gi, . . . ,gk), and to test normality we may verify 
that g~^hjgi S {hi, ... ,hi) for each i and j (as well as {hi, ... ,hi) < {gi, . . . ,gk)). See Babai |^ 
for more examples of problems reducing to order computation. 

In another paper |^3[ we have shown that there exist succinct quantum certificates for various 
group-theoretic properties, including the property that a given integer divides the order of a group 
(i.e., given an integer d and generators gi,. . . , 5fc in some black-box group, where G = {gi, . . . , gk) 
is not necessarily solvable, verify that d divides We note here that our quantum algorithm 

for calculating orders of solvable groups can be used to prove the existence of succinct classical 
certificates for this property. Suppose we are given d and gi, . . . ,gk as above. Then a classical 
certificate for the property that d divides |G| may consist of descriptions of p-subgroups of G for 
the primes p dividing d. More specifically, suppose d = p^^ ■ ■ -p^ for distinct primes pi, . . . ,Pm. 
Then for each prime power p"^ , the certificate will include a description of some subgroup of G 
having order p'^^ If indeed divides |G| there will exist such a subgroup, which is necessarily 
solvable since all groups of prime power order are solvable. Thus, the order of each given p-subgroup 
can be found using the order calculation algorithm. Since G is not necessarily solvable, however, 
testing that each of the given p-subgroups is really a subgroup of G might not be possible with our 
algorithm. However, the certificate may also include proofs of membership for each of the generators 
of the p-subgroups in G. (See Babai and Szemeredi for details on proofs of membership.) 
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4.2 Computing over abelian factor groups 



In the case of abelian black-box groups, many group-theoretic problems can be solved in poly- 
nomial time on a quantum computer. For instance, given generators gi,... ,gk for an abelian 
black-box group G with encoding length n, in quantum polynomial time we may compute prime 
powers qi, ■ ■ ■ ,qm such that G = TLq^ x ••• x Zg^. Furthermore, there exists an isomorphism 
9 : G ^ Zq-^ X • • • X Zg^ such that for any h £ G, 9{h) may be computed in time polynomial in 
n. Consequently, computing the order of an abelian group, testing isomorphism of abelian groups. 



and several other problems can be performed in quantum polynomial time 22, p7| ]. 

We may apply these techniques for problems about abelian groups to problems about solvable 
groups by working over factor groups. To illustrate how this may be done, consider the following 
problem. Suppose we have a solvable group G given by generators gi, ■ ■ ■ ,gk, and furthermore that 
we have generators hi, . . . ,hi for a normal subgroup H of G such that G/H is abelian. We may 
hope to determine the structure of G/H using the technique for abelian groups mentioned above, 
i.e., we wish to compute prime powers qi, ■ ■ ■ ,qm such that G/H = Zg^ x • • • x Z^^. However, 
a complication arises since we do not have unique classical representations for elements of G/H, 
and so we cannot apply the technique directly. Instead, we will rely on the fact that we may 
efficiently construct copies of the state \H) in polynomial time in order to work over the factor 
group G/H. Assume that ri = order(gfi), . . . , = order((7fc) have already been computed using 
Shor's algorithm, and let = lcm(ri, . . . ,rfc). The algorithm described in Figure ^ will allow us 
to solve the problem. 

Prepare register R in state \H) using the algorithm from Section]^. 
Initialize registers Ai, . . . ,Ak each in state Y1^=q I*^)- 

Reversibly (left-)multiply the contents of register R by g^^ ■ ■ ■ 5^'°, where each aj denotes the 
contents of register Aj. 

For j = 1, . . . , fc, perform the quantum Fourier transform modulo on register Aj. 
Observe Ai, . . . ,Ak (in the computational basis). 



Figure 2: Quantum subroutine used for determining the structure of G/H. 

To analyze the algorithm, define a mapping / : Z^ G/H as /(ai, . . . ,0^) = g°^ ■ ■ ■ g^^ 
The mapping / is a homomorphism with ker(/) = {(ai, . . . , a^) G Z^ | g'^ ■ ■ ■ g'^'' G Define 

f 

ker(/)^ -- 



(61,... GZ^ 



ajhj = (mod A^) for all (ai, . . . , a^) G ker(/) 



We have that ker (/)-*" = G/H, and in fact / is an isomorphism when restricted to ker(/)-'". A 
straightforward analysis reveals that observation of Ai,. . . , will give a random element in 
ker(/)^. 

Thus, running the algorithm in Figure ^ 0{k) times results in a generating set for ker(/)"'" with 
high probability. Letting i? be a matrix whose columns are the randomly generated elements of 
ker (/)"*", we may determine the numbers qi,. . . ,qm in polynomial time by computing the Smith 
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normal form of B (see Kannan and Bachem ||2^ and Hafner and McCurley for polynomial-time 
algorithms for computing Smith normal forms). 

This method for working over factor groups can be applied to other problems. In general, 
we may represent elements in a factor group G/H by quantum states of the form \gH). Two 
states \gH) and \g'H) are of course identical whenever gH = g'H, and are orthogonal otherwise. 
Multiplication and inversion of such states works as expected — for Uq as in Section ^ we have 
UG\gH)\g'H) = \gH)\gg'H) and U^^\gH)\g'H) = \gH)\g-^g'H). (This requires G.) Hence 
this gives us a natural way to represent elements of factor groups by quantum states. 

5 Conclusion 

We have given a polynomial-time quantum algorithm for calculating the order and preparing a 
uniform superposition over a given solvable group, and shown how this algorithm may be used to 
solve other group-theoretic problems regarding solvable groups in polynomial time. 

There are several other problems for solvable black-box groups that we do not have polynomial- 
time algorithms for. Examples include Group Intersection (given generating sets for two subgroups 
of a solvable black-box group, do the subgroups have a nontrivial intersection?) and Coset Inter- 
section (defined similarly). See Arvind and Vinodchandran j^] and Babai |^] for more examples 
of group-theoretic problems we may hope to solve in quantum polynomial time in the solvable 
black-box group setting. 

Another interesting question is whether there exist polynomial-time quantum algorithms for 
similar problems for arbitrary (not necessarily solvable) finite groups. Can our methods be extended 
to non-solvable groups, and if so, to what extent? One possible approach to the particular problem 
of calculating group order is to try and develop an algorithm to find generators for the Sylow 
subgroups of the given group, and to run our algorithm on these subgroups (which are necessarily 
solvable) . 
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